CVE-2026-55201

MEDIUM 6.8

Evil-WinRM - Path Traversal in download_dir() Function

CVSS Score

6.8

EPSS Score

0.0%

EPSS Percentile

0th

Evil-WinRM through 3.9, fixed in commit 6ecd570, contains a path traversal vulnerability in the download_dir() function that allows a rogue or compromised remote Windows server to write files outside the intended download directory by returning filenames with traversal sequences from Get-ChildItem command output that are passed unsanitized to File.join(). Attackers controlling the remote server can exploit this to overwrite sensitive client-side files such as SSH authorized_keys or shell configuration files, achieving persistent access or privilege escalation on the client machine.

CWE	CWE-22
Vendor	hackplayers
Product	evil-winrm
Published	Jun 17, 2026

Stay Ahead of the Next One

Get instant alerts for hackplayers evil-winrm

Be the first to know when new medium vulnerabilities affecting hackplayers evil-winrm are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Affected Versions

Hackplayers / evil-winrm

0 ≤ 3.9

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/Hackplayers/evil-winrm/pull/81 github.com: https://github.com/Hackplayers/evil-winrm/commit/6ecd570a298562dc72ad73978307eb34182f5850 vulncheck.com: https://www.vulncheck.com/advisories/evil-winrm-path-traversal-in-download-dir-function

Credits

Tristan Madani (@TristanInSec)